httpd-dev mailing list archives

On Tue, 7 Mar 2000, Ronald wrote:
> > But there is also Cache-Control: s-maxage=XXX, the reply may be served,
> > but you MUST revalidate to be sure that the user is authorized to get this
> > page if the current age is > XXX
>
> Just as a note: if digest authentication was used and the server is checking
> nonce-counts, then a resend of the same auth info when doing the revalidate
> will possibly trigger warnings on the server (mod_auth_digest, for example,
> will log an entry about a possible attack). But I'd say just try it, and if
> too many people complain then change the code never resend previous digest
> auth info.
Unless you do the revalidation without the Authorization so that new
credentials are presented to the client. It requires one extra round trip,
but it would be the safer way at least for digest auth.
~~Yves